ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05

Analysis

max time kernel
234s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe
Size

1.1MB
MD5

e82d401adfe4e2f025be3d100c01d534
SHA1

c0adf45e735d6f9b5e5187202656d3398c7f3543
SHA256

ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05
SHA512

6eb590f57ce266048caa91b3cf4174bd94a23b125e9f9514491bbd1813def8dcda51316594f452f5db235777273cdb837a467909a7e0c4626a13ddac3cbada00
SSDEEP

24576:sXgApMi+1/HKYuAOG6Zk6LbTQ0XioqljkujxBMZO3bcjUFYVXfV6sR/d3ZL:41pne6H0ciN4uncO3IPBt6u/T

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1696	QQÍ¼±êµãÁÁÆ÷.exe
428	YD_Server.exe
2016	360fp.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-101-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-103-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-105-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-113-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
748	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe
748	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe
1696	QQÍ¼±êµãÁÁÆ÷.exe
1696	QQÍ¼±êµãÁÁÆ÷.exe
428	YD_Server.exe
428	YD_Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\360fp.exe	360fp.exe
File created	C:\Windows\SysWOW64\360fp.exe	YD_Server.exe
File opened for modification	C:\Windows\SysWOW64\360fp.exe	YD_Server.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1840	AUDIODG.EXE
Token: 33	1840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	428	YD_Server.exe
Token: SeIncBasePriorityPrivilege	2016	360fp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1696	QQÍ¼±êµãÁÁÆ÷.exe
1696	QQÍ¼±êµãÁÁÆ÷.exe
1696	QQÍ¼±êµãÁÁÆ÷.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1696	748	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe	28
PID 748 wrote to memory of 1696	748	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe	28
PID 748 wrote to memory of 1696	748	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe	28
PID 748 wrote to memory of 1696	748	ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe	28
PID 1696 wrote to memory of 428	1696	QQÍ¼±êµãÁÁÆ÷.exe	30
PID 1696 wrote to memory of 428	1696	QQÍ¼±êµãÁÁÆ÷.exe	30
PID 1696 wrote to memory of 428	1696	QQÍ¼±êµãÁÁÆ÷.exe	30
PID 1696 wrote to memory of 428	1696	QQÍ¼±êµãÁÁÆ÷.exe	30
PID 428 wrote to memory of 2016	428	YD_Server.exe	31
PID 428 wrote to memory of 2016	428	YD_Server.exe	31
PID 428 wrote to memory of 2016	428	YD_Server.exe	31
PID 428 wrote to memory of 2016	428	YD_Server.exe	31
PID 428 wrote to memory of 664	428	YD_Server.exe	32
PID 428 wrote to memory of 664	428	YD_Server.exe	32
PID 428 wrote to memory of 664	428	YD_Server.exe	32
PID 428 wrote to memory of 664	428	YD_Server.exe	32
PID 2016 wrote to memory of 2020	2016	360fp.exe	33
PID 2016 wrote to memory of 2020	2016	360fp.exe	33
PID 2016 wrote to memory of 2020	2016	360fp.exe	33
PID 2016 wrote to memory of 2020	2016	360fp.exe	33

C:\Users\Admin\AppData\Local\Temp\ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe
"C:\Users\Admin\AppData\Local\Temp\ed37130407e99a56c6b07852559709d2b95a7df236b03bfa9b6b76a0650e8f05.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ¼±êµãÁÁÆ÷.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ¼±êµãÁÁÆ÷.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YD_Server.exe
    YD_Server
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\360fp.exe
      "C:\Windows\system32\360fp.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\360fp.exe > nul
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YD_SER~1.EXE > nul
      4⤵
      PID:664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ¼±êµãÁÁÆ÷.exe

Filesize
1.7MB

MD5
0010d2dc547c4ca7f38351b203fc3b18

SHA1
d6f8607ee6c7793198a1e2113c2bc9c33b333eff

SHA256
810abb8b9da7112cc241f09e7e975e9084b98cb0c10108ea0e8f87b56480a075

SHA512
ee76ac5643fe17f45f5c90dc49c2dbb299c330c041c57e6e87c49b3c32a73fc726a138b5fba553b85ba41bf29527108a722519b6c8052c5e04794880d41c6209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ¼±êµãÁÁÆ÷.exe

Filesize
1.7MB

MD5
0010d2dc547c4ca7f38351b203fc3b18

SHA1
d6f8607ee6c7793198a1e2113c2bc9c33b333eff

SHA256
810abb8b9da7112cc241f09e7e975e9084b98cb0c10108ea0e8f87b56480a075

SHA512
ee76ac5643fe17f45f5c90dc49c2dbb299c330c041c57e6e87c49b3c32a73fc726a138b5fba553b85ba41bf29527108a722519b6c8052c5e04794880d41c6209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YD_Server.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YD_Server.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
C:\Windows\SysWOW64\360fp.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
C:\Windows\SysWOW64\360fp.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ¼±êµãÁÁÆ÷.exe

Filesize
1.7MB

MD5
0010d2dc547c4ca7f38351b203fc3b18

SHA1
d6f8607ee6c7793198a1e2113c2bc9c33b333eff

SHA256
810abb8b9da7112cc241f09e7e975e9084b98cb0c10108ea0e8f87b56480a075

SHA512
ee76ac5643fe17f45f5c90dc49c2dbb299c330c041c57e6e87c49b3c32a73fc726a138b5fba553b85ba41bf29527108a722519b6c8052c5e04794880d41c6209

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ¼±êµãÁÁÆ÷.exe

Filesize
1.7MB

MD5
0010d2dc547c4ca7f38351b203fc3b18

SHA1
d6f8607ee6c7793198a1e2113c2bc9c33b333eff

SHA256
810abb8b9da7112cc241f09e7e975e9084b98cb0c10108ea0e8f87b56480a075

SHA512
ee76ac5643fe17f45f5c90dc49c2dbb299c330c041c57e6e87c49b3c32a73fc726a138b5fba553b85ba41bf29527108a722519b6c8052c5e04794880d41c6209

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\YD_Server.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\YD_Server.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
\Windows\SysWOW64\360fp.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
\Windows\SysWOW64\360fp.exe

Filesize
18KB

MD5
6bc4a6cf394eb092dfa1c79e0f9f65c7

SHA1
661b8db62faa9fefe970f4a6dc492dad455c803f

SHA256
9ee0d4edd339d0dea1359364c1914d4755f6b631590de9b5777a48d1d0afe2d7

SHA512
190984ecb252bd184b27cd467cb99ba025fbe56d40f5c472270c86f4779fc0f2e14b0e9a1140522423355274803d509fa24ee79d7618f27daf585b0204a1a4d3

Download Submit
memory/748-54-0x0000000001000000-0x000000000123B000-memory.dmp

Filesize
2.2MB

Download
memory/748-121-0x0000000001000000-0x000000000123B000-memory.dmp

Filesize
2.2MB

Download
memory/748-55-0x0000000001000000-0x000000000123B000-memory.dmp

Filesize
2.2MB

Download
memory/1696-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-101-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-105-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-113-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-60-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download